chore(ci): Add Github Action auditing

blue-build · Dec 14, 2024 · 4103184 · 4103184
1 parent 469c604
commit 4103184
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 106 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -30,6 +30,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -64,6 +65,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -100,6 +102,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -134,6 +137,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -165,6 +169,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -183,6 +188,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -201,6 +207,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -233,6 +240,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -271,6 +279,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -312,6 +321,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -360,6 +370,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -406,6 +417,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -449,6 +461,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -485,6 +498,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -525,6 +539,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,6 +25,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -43,6 +44,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -78,6 +80,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
       - name: Login to GitHub Container Registry
@@ -119,6 +122,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
       - name: Login to GitHub Container Registry
@@ -158,6 +162,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -204,6 +209,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
       - name: Login to GitHub Container Registry
@@ -240,6 +246,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
       - name: Run integration tests
@@ -275,6 +282,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
       - name: Expose GitHub Runtime
@@ -311,6 +319,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
       - name: Expose GitHub Runtime
@@ -355,6 +364,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -406,6 +416,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
 
@@ -514,6 +525,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
 
@@ -560,6 +572,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           ref: main
 
 
@@ -598,6 +611,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -641,6 +655,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}

diff --git a/.github/workflows/flakehub-tagged.yml b/.github/workflows/flakehub-tagged.yml
@@ -16,8 +16,9 @@ jobs:
       id-token: "write"
       contents: "read"
     steps:
-      - uses: "actions/checkout@v3"
+      - uses: "actions/checkout@v4"
         with:
+          persist-credentials: false
           ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
       - uses: "DeterminateSystems/nix-installer-action@main"
       - uses: "DeterminateSystems/flakehub-push@main"

diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -27,6 +27,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           fetch-tags: true
 
@@ -61,6 +62,7 @@ jobs:
 
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           fetch-tags: true
 
@@ -83,6 +85,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           fetch-tags: true
 
@@ -122,6 +125,7 @@ jobs:
       # Setup repo and add caching
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           fetch-tags: true